Swedish ISP Starts Deleting Log Files To Protect Users From IPRED Law

from the and-so-it-goes dept

There's been plenty of attention paid to Sweden's new IPRED law, which requires ISPs to hand over identifying information on those accused of file sharing -- but we've already noted that all the law is really doing is driving people to alternatives, such as encryption. And, now, it appears that even ISPs are recognizing that it just makes good business sense to better protect their users. Broadband Reports points out that a Swedish ISP, Bahnhof, has started destroying its own log files, rather than hand them over to authorities. The company's CEO notes that nothing in the law requires ISPs to keep log files -- but only to turn over what info has been retained. It seems likely that Bahnhof may have just convinced a bunch of folks to see if they can sign up for new broadband from the company. Any bets on how long it takes Sweden to pass a new law requiring ISPs to retain data for a certain period of time? Even the CEO admits that's likely -- but notes that it will show this is nothing more than a witch hunt by the entertainment industry:

"And then the legislators will have to step up and say they want to have data storage, not to catch terrorists but to help record companies and the movie industry in the hunt for file sharers."

Storing the data may break the law

This is not very surprising considering that one of Swedens most influencial bloggers, IP-sceptic and lifestyle libertarian Oscar Swartz, is the one who founded this ISP in 1994. Although he has left it now I guess some of the freedom spirit (or at least good sense of what the customers want) lives on.
There are been reports of two smaller Swedish ISPs taking the same approach.

When this was uncovered it was reported in the news as Bahnhof exploiting a loophole in the legislation. The truth is however that politicians have been aware of this for a long time. Since the EU data retention directive forces Sweden to introduce data retention laws they probably await the implementation of that since they can then blame EU and the former minister of the justice department (he was one of those who most strongly pushed for the introduction of this EU directive - now he is in opposition). Since the data retention directive is meant to fight heavy crime, it's not yet certain that rights holders will be able to gain access to data upon suspicion of less serious crimes.

What's interesting is that we here in Sweden currently have a law on electronic communications that dictates that those who provide networks for eletronic communication may not store traffic data longer than necessary in order to distribute electronic messages or for billing (and IP-address logs aren't needed for billing). Hence, it would actually seem to be illegal for them to store logs of what IP-addresses were assigned to whom at what times.

So while the media has been painting a picture of Bahnhof as the black sheep or at least as a form of political protester/activist, it may be its competitors who are breaking the law when they say they do store this info.

No, they never created the logs in the first place.

IIRC the ARS Technica coverage of this story made it clear (they actually talked to Bahnhof) that the ISP never actually logged the information in the first place, and they're not deleting logfiles now. I don't think they've changed what they do at all, they're just bringing this fact to the attention of potential customers who might be interested in their lack of logging.

And when the Swedish government passes the law, and proves they are stooges of the entertainment industry, it'll just ensure that Sweden's Pirate Party gets an even bigger presence in the government come the next election.

@Cynical
yes, I think it's the same in Germany. However, there's nothing in the EU directive that forces nations to disclose the information it forces them to store. In fact the directive was accused of being passed on the wrong grounds, but the european court of justice didn't agree and found the data retention was not related to police cooperation but rather establishing an even ground between ISP competitors in different EU member countries.

So in theory if the ISPs encrypted the data that they are obliged to keep, and then threw away the encryption key they would still live up to the spirit (although maybe not letter) of the directive since it is (officially at least) just meant to put an equal burdon on ISPs in all countries. In practice it would probably not be possible though, but I'd love to see some country try it. However, it's still up to the individual countries to regulate under what circumstances the data may be accessed and they are free to not release it under any circumstances if they want.

I really wonder what's next. France introduces HADOPI which limits people's right to internet access without preceeding court trial and then claim that this puts an extra burdon on french ISPs and therefore ISPs in all member countries should be obliged to do the same?

Hi Tor, Articles 4 and 6 of the 2006 Data Retention Directive (see below) would appear to suggest that there is a case for mandatory disclosure.
What's next? See ACTA, and combine it with Data Retention, the mix of BSA, MPAA and RIAA aversion to new business models and equating piracy (patch kind), terrorism and downloading, and and Sarkozy's shenanigans, and the picture is not pretty.

Article 4
Access to data
Art. 4 - Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.
Article 8
Storage requirements for retained data
Member States shall ensure that the data specified in Article 5 are retained in accordance with this Directive in such a way that the data retained and any other necessary information relating to such data can be transmitted upon request to the competent authorities without undue delay.

ipred

Doesn't IPRED refer to IP Rights Enforcement Directive(2), the as yet un-enacted EC Directive, pushed by US lobbies, that mandates criminal penalties for IP offences? (There is IPRED1, enacted in 2004 and addressing civil penalties, but the controversial IPRED2 is still waiting in the wings.) Sweden's law (relating to criminal penalties for illegal downloads discoverable through the retention directive) cannot be an IPRED law if there's no IPRED. It is hard enough to follow the fate of this proposed Directive without using its name for only tangentially related legislation, no?

Wow

@bikey:
I think those articles only confirm what I said. Read closely: "The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data (...) shall be defined by each Member State"

Of course, some will look at all the stored data as children look at candy, so in practice it may not help much to let the member states regultate this on their own. At least it makes it easier to assign responsibility for the decisions.

IPRED

Hi Tor Arguably. I guess you still have confidence in 'competent national authorities' and 'national law'. I have long abandoned such comforts. Don't the former dream up methods of abuse and then write up memos backing themselves up with the latter? Or am I confused here?

Re: Good for him!

Good call, this will force their hand and expose the lawmakers being in bed with and paid for by the entertainment industry.

That's not exactly a secret even now. But Swedish voters, it seems, are no more concerned with corruption than American ones are. In fact, I'm starting to think that American voters have come to actually admire corruption.

@Anonymous Coward 1:
If Weird Harold said that then he's wrong. The EU directive will eventually force logs, but it has not yet been implemented into Swedish law. If IP-adress logs count as "traffic data" (I and would suppose they do) the ISPs may not store such data any longer than necessary to fulfil their service or bill the users. For IP-adress logs I would suppose it means that they may not be stored at all.

@Anonymous Coward 2:
I don't think one can compare Sweden to America in that regard since we have publicly funded elections, so we have almost none of the kind of corruption that people like Lawrence Lessig writes about. I would absolutely not call our politicians corrupt, but I do think they are out of touch and listen too much to the content industries and often have bad advisors which are too close to the industry. During the police investigation of The Pirate Bay there was a very disturbing thing though - the police responsible for the investigation (and who probably knew lots of info about TPB that he wasn't allowed to reveal) was hired by Warner Brothers just after the investigation had ended.